{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

# ('Dawn Song', 'Midterm 1', '(solution)') Spring 2012 - Dawn...

This preview shows pages 1–5. Sign up to view the full content.

Dawn Song Spring 2012 CS 161 Computer Security Midterm Your Full Name: Your Berkeley Email: This is a closed-book midterm. You may not consult any lecture or written notes, cheatsheets, textbooks, etc. Calculators and computers are not permit- ted. Please write your answers in the spaces provided in the test. We will not grade anything on the back of an exam page unless we are clearly told on the front of the page to look there. You have 80 minutes. There are 6 questions, of varying credit (62 points total). The questions are of varying di±culty, so avoid spending too long on any one question. Do not turn this page until your instructor tells you to do so. Question Points Total Problem 1 6 Problem 2 10 Problem 3 9 Problem 4 8 Problem 5 10 Problem 6 18 Total 61

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
1. (6 points) Control Hijacking Indicate whether the statement is always valid. Indicate true or false, and give a one sentence explanation. Answer: +1 point for correct true false statement. +1 point for correct explanation. (a) (2 points) A stack canary prevents control hijacking from occurring. True. Reason: False. Reason: Answer: False. Canaries protect against stack based at- tacks by detecting when the return address is modi±ed. This prevent bu²er over³ows, but does not prevent other exploits like exception handlers, pointer overwriting/sub- terfuge, heap exploits, etc. (b) (2 points) Consider the following program: typedef void (*type_fp)(void); void happy_function() { // something } int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; } Assume that you control the input to the function a (). You can make the program behave incorrectly and jump to any arbitrary address. True. Reason: False. Reason: Answer: False. In this scenario, a maximum of 2 bytes of the function pointer can be overwritten (size 16 bu²er on stack, Page 2
with size 18 parameter to strncpy). In order to jump to any arbitrary address, 4 bytes of address space are required to be overwritten. (c) (2 points) Return oriented programming (arc-injection) is a viable technique to use to defeat stack canaries. True. Reason: False. Reason: Answer: False. The canary is stored on the stack at a lower memory address than the return address. Meaning, when the bu±er is over²owed to change the return address for an arc injection attack, the canary will also be over-written, causing the data injection to fail. Arc injection in general, only defeats non-executable stack protection. Page 3

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2. (10 points) Symbolic Execution Consider the following program: 1 void c a l l e r ( in t a , in t b) { 2 in t ptr ; 3 4 i f (b > 0) { 5 ptr = getbuf (a , b) ; 6 i f ( ptr != NULL) 7 ptr [ 0 ] = 0; 8 } 9 } 10 11 getbuf ( in t x , in t y) { 12 13 / i n i t i a l i z e a l l elements to zero / 14 in t buf [ 2 0 ] = { 0 } ; 15 in t z ; 16 17 i f (x > y) 18 return NULL; 19 i f < 20 z = x ; 21 e l s e 22 z = x ; 23 i f ( z < 20) 24 buf [ z ] = y ; 25 return buf ; 26 } (a) (2 points) Consider the assignment at line 7. Is this assignment mem- ory safe? Explain your reasoning in one sentence.
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 19

('Dawn Song', 'Midterm 1', '(solution)') Spring 2012 - Dawn...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online